vidar | 630f2e9dc252f71613a30aaf3544739785a64f3f6fc96fbcc960511b29e0eced

Resubmissions

13-02-2025 19:55

250213-yna1qstjbk 10

13-02-2025 13:16

250213-qhvtysxrgr 10

Analysis

max time kernel
300s
max time network
295s
platform
windows11-21h2_x64
resource
win11-20250210-en
resource tags

arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
submitted
13-02-2025 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.ps1
Size

29B
MD5

726ac161772f83ef4c852d6c3e158e86
SHA1

66b5487d1d873300d241e96fed4e1ba5d8fea2af
SHA256

630f2e9dc252f71613a30aaf3544739785a64f3f6fc96fbcc960511b29e0eced
SHA512

0b103e71e1a6b5ba400981f45ba460290ec97bd424a80ed4675b12aa68e9d3426bc253c5ae63ad4deba146b69a10b8f532c40344e6194482c3cc73bc4ab95910

Score

10^/10

vidar adware credential_access discovery execution persistence privilege_escalation stealer

Malware Config

Extracted

Family

vidar

https://t.me/b4cha00

https://steamcommunity.com/profiles/76561199825403037

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0

Signatures

Detect Vidar Stealer 8 IoCs

stealer

resource	yara_rule
behavioral2/memory/2472-54-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral2/memory/2472-58-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral2/memory/2472-67-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral2/memory/2472-68-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral2/memory/2472-69-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral2/memory/2472-70-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral2/memory/2472-105-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral2/memory/2472-106-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4240	powershell.exe
5	4240	powershell.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
12	2748	Process not Found
56	2748	Process not Found

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2980	chrome.exe
1960	chrome.exe
3896	chrome.exe
2452	chrome.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 13 IoCs

pid	Process
4392	updater.exe
3212	setup.exe
4704	setup.exe
3144	setup.exe
3140	setup.exe
1284	setup.exe
2328	setup.exe
3328	setup.exe
2124	setup.exe
4252	setup.exe
2004	setup.exe
2668	setup.exe
1212	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4392 set thread context of 2472	4392	updater.exe	88

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Social	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\hi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ro.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\en-US.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Trust Protection Lists\Mu\Other	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\onnxruntime.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fr-CA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vulkan-1.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ar.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ga.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\et.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\he.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\lo.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ta.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Internal.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\te.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\fi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\vi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedgewebview2.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ca-Es-VALENCIA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\learning_tools.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\learning_tools.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\SmallLogo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Other	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\he.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\ug.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\identity_proxy\resources.pri	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\AdSelectionAttestationsPreloaded\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Edge.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ug.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\edge_feedback\mf_trace.wprp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\sk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pt-BR.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\vi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\VisualElements\LogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\lt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\tt.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\133.0.3065.59.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\fr-CA.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\Logo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Trust Protection Lists\Sigma\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\de.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3144_13383926384632817_3144.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\resources.pri	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\edge_game_assist\VERSION	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\he.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\gu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\hu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\de.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\is.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\zh-CN.pak	setup.exe

Drops file in Windows directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\5f6f040c-6ec0-4187-8dff-81c7b8e51edb.tmp	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Windows\SystemTemp\e810831b-2835-4067-a36c-88f54a92c7fe.tmp	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4240	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1388	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133839263101130119"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\AppID = "{1FCBE96C-1697-43AF-9140-2897C7C69767}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ = "IEToEdgeBHO Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\ = "TypeLib for Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\Application	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationCompany = "Microsoft Corporation"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mhtml	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_helper.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\ = "ie_to_edge_bho.IEToEdgeBHO.1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\AppUserModelId = "MSEdge"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xml	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}\ = "ie_to_edge_bho"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\AppUserModelId = "MSEdge"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4240	powershell.exe
4240	powershell.exe
2472	BitLockerToGo.exe
2472	BitLockerToGo.exe
2472	BitLockerToGo.exe
2472	BitLockerToGo.exe
1960	chrome.exe
1960	chrome.exe
1284	setup.exe
1284	setup.exe
124	chrome.exe
124	chrome.exe
124	chrome.exe
124	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 4392	4240	powershell.exe	87
PID 4240 wrote to memory of 4392	4240	powershell.exe	87
PID 4240 wrote to memory of 4392	4240	powershell.exe	87
PID 4392 wrote to memory of 2472	4392	updater.exe	88
PID 4392 wrote to memory of 2472	4392	updater.exe	88
PID 4392 wrote to memory of 2472	4392	updater.exe	88
PID 4392 wrote to memory of 2472	4392	updater.exe	88
PID 4392 wrote to memory of 2472	4392	updater.exe	88
PID 4392 wrote to memory of 2472	4392	updater.exe	88
PID 4392 wrote to memory of 2472	4392	updater.exe	88
PID 4392 wrote to memory of 2472	4392	updater.exe	88
PID 4392 wrote to memory of 2472	4392	updater.exe	88
PID 4392 wrote to memory of 2472	4392	updater.exe	88
PID 4392 wrote to memory of 2472	4392	updater.exe	88
PID 2472 wrote to memory of 1960	2472	BitLockerToGo.exe	89
PID 2472 wrote to memory of 1960	2472	BitLockerToGo.exe	89
PID 1960 wrote to memory of 4596	1960	chrome.exe	90
PID 1960 wrote to memory of 4596	1960	chrome.exe	90
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 1680	1960	chrome.exe	91
PID 1960 wrote to memory of 3240	1960	chrome.exe	92
PID 1960 wrote to memory of 3240	1960	chrome.exe	92
PID 1960 wrote to memory of 3496	1960	chrome.exe	93
PID 1960 wrote to memory of 3496	1960	chrome.exe	93
PID 1960 wrote to memory of 3496	1960	chrome.exe	93
PID 1960 wrote to memory of 3496	1960	chrome.exe	93
PID 1960 wrote to memory of 3496	1960	chrome.exe	93
PID 1960 wrote to memory of 3496	1960	chrome.exe	93
PID 1960 wrote to memory of 3496	1960	chrome.exe	93
PID 1960 wrote to memory of 3496	1960	chrome.exe	93
PID 1960 wrote to memory of 3496	1960	chrome.exe	93
PID 1960 wrote to memory of 3496	1960	chrome.exe	93
PID 1960 wrote to memory of 3496	1960	chrome.exe	93
PID 1960 wrote to memory of 3496	1960	chrome.exe	93
PID 1960 wrote to memory of 3496	1960	chrome.exe	93
PID 1960 wrote to memory of 3496	1960	chrome.exe	93

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\AppData\Local\70fc33f9-3aac-42ba-ad10-317d261bd0f4\updater.exe
  "C:\Users\Admin\AppData\Local\70fc33f9-3aac-42ba-ad10-317d261bd0f4\updater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd7dfcc40,0x7ffcd7dfcc4c,0x7ffcd7dfcc58
        5⤵
        
        PID:4596
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,14061204156956726134,10217692652149652419,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=1824 /prefetch:2
        5⤵
        
        PID:1680
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2060,i,14061204156956726134,10217692652149652419,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2120 /prefetch:3
        5⤵
        
        PID:3240
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,14061204156956726134,10217692652149652419,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2404 /prefetch:8
        5⤵
        
        PID:3496
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,14061204156956726134,10217692652149652419,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3160 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3896
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,14061204156956726134,10217692652149652419,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3332 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2452
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4252,i,14061204156956726134,10217692652149652419,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4548 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2980
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,14061204156956726134,10217692652149652419,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4572 /prefetch:8
        5⤵
        
        PID:2584
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4556,i,14061204156956726134,10217692652149652419,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4648 /prefetch:8
        5⤵
        
        PID:2040
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4468,i,14061204156956726134,10217692652149652419,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4832 /prefetch:8
        5⤵
        
        PID:1568
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,14061204156956726134,10217692652149652419,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4948 /prefetch:8
        5⤵
        
        PID:1908
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4276,i,14061204156956726134,10217692652149652419,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5264 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:124

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTlDNTYwMUEtRDlFMy00ODE2LTk4MzItNTZFRkM0RUMwMUE0fSIgdXNlcmlkPSJ7MkY4MTM2OUItNDY2MS00MDc1LTg1NjAtQ0Q4MkY0ODdBNDJDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QUQ2Mjg2QkMtRTU1NS00M0Y3LUIwODYtM0U0QjA2OTZDNTUxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjMiIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDA0OCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NTg2OTkzMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ3MjQzNjMyMjMiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1388

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2136

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3EE5BCB-2D7B-452C-B507-485F4963B3F9}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3EE5BCB-2D7B-452C-B507-485F4963B3F9}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
PID:240
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3EE5BCB-2D7B-452C-B507-485F4963B3F9}\EDGEMITMP_71F05.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3EE5BCB-2D7B-452C-B507-485F4963B3F9}\EDGEMITMP_71F05.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3EE5BCB-2D7B-452C-B507-485F4963B3F9}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - System policy modification
  PID:3212
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3EE5BCB-2D7B-452C-B507-485F4963B3F9}\EDGEMITMP_71F05.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3EE5BCB-2D7B-452C-B507-485F4963B3F9}\EDGEMITMP_71F05.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3EE5BCB-2D7B-452C-B507-485F4963B3F9}\EDGEMITMP_71F05.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff77b096a68,0x7ff77b096a74,0x7ff77b096a80
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4704
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3EE5BCB-2D7B-452C-B507-485F4963B3F9}\EDGEMITMP_71F05.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3EE5BCB-2D7B-452C-B507-485F4963B3F9}\EDGEMITMP_71F05.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:3144
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3EE5BCB-2D7B-452C-B507-485F4963B3F9}\EDGEMITMP_71F05.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3EE5BCB-2D7B-452C-B507-485F4963B3F9}\EDGEMITMP_71F05.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3EE5BCB-2D7B-452C-B507-485F4963B3F9}\EDGEMITMP_71F05.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff77b096a68,0x7ff77b096a74,0x7ff77b096a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:3140
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff77a796a68,0x7ff77a796a74,0x7ff77a796a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2004
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff77a796a68,0x7ff77a796a74,0x7ff77a796a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2124
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff77a796a68,0x7ff77a796a74,0x7ff77a796a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4252

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A9C41992-BEEF-43E9-95AA-E2590500CCDB}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A9C41992-BEEF-43E9-95AA-E2590500CCDB}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
1⤵
PID:1420
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A9C41992-BEEF-43E9-95AA-E2590500CCDB}\EDGEMITMP_77DF5.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A9C41992-BEEF-43E9-95AA-E2590500CCDB}\EDGEMITMP_77DF5.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A9C41992-BEEF-43E9-95AA-E2590500CCDB}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --previous-version="132.0.2957.140" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2668
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A9C41992-BEEF-43E9-95AA-E2590500CCDB}\EDGEMITMP_77DF5.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A9C41992-BEEF-43E9-95AA-E2590500CCDB}\EDGEMITMP_77DF5.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A9C41992-BEEF-43E9-95AA-E2590500CCDB}\EDGEMITMP_77DF5.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff736bd6a68,0x7ff736bd6a74,0x7ff736bd6a80
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\msedge_7z.data

Filesize
3KB

MD5
a43e9ce8d33ed6eb2b8f5133450d64dd

SHA1
f2b9a2eab4b80d7bef0a6e076423993b77f66332

SHA256
39bace95aa685a42bb379404c0e4f2a11254a7d5ab9a9b5551d311d1dbc05bb6

SHA512
9db1c9de9521cd7bd4af5062693d3557ab196fd552bb6000c1d4266426127c9c7c6eada263e90f99bf941fb1c863d10463940e164a03e0742ee070a35fbcdf6e

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A9C41992-BEEF-43E9-95AA-E2590500CCDB}\EDGEMITMP_77DF5.tmp\SETUP.EX_

Filesize
2.7MB

MD5
1a59a8af3c58b30ff0fe71db2196b24b

SHA1
6b0e5ba36f4fc5328ec494272054a50cafa13e68

SHA256
ba25974b29a25cb7bc1f58a0990a8ce758354aa6ec5b8b8af210f2c1466ba49d

SHA512
f173fe15db8d7aeef4f6fa62a41246550ccee207e6388095a5f87036362d4c95da646e1a7c68764054556e024da80b749646425076e9bfac42fb77be8f2c0355

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F3EE5BCB-2D7B-452C-B507-485F4963B3F9}\EDGEMITMP_71F05.tmp\setup.exe

Filesize
6.8MB

MD5
1b3e9c59f9c7a134ec630ada1eb76a39

SHA1
a7e831d392e99f3d37847dcc561dd2e017065439

SHA256
ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

SHA512
c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.9MB

MD5
ad5f7dc7ca3e67dce70c0a89c04519e0

SHA1
a10b03234627ca8f3f8034cd5637cda1b8246d83

SHA256
663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31

SHA512
ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

Download Submit
C:\Users\Admin\AppData\Local\70fc33f9-3aac-42ba-ad10-317d261bd0f4\updater.exe

Filesize
4.8MB

MD5
9c34d1555408e02bf79d305e14da648f

SHA1
3ade53d77f21861819565b4902d42d17b26b0771

SHA256
81a16262857bdc1497888c2196a6abb068da74a736724f34828b048777560cce

SHA512
be426e3af1d0888cf1b9dd61f01f9010f4f2f83a979acdafb27eae99b21b96e96391ecd73d01f60d087c36adce9538ce8f307bf9660a8b6cf4306e7b6dca1a46

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e2deb4d286e83494c4ceb8e59f078258

SHA1
783019449e219e9f1adb699c1f07bcd1074c6b82

SHA256
b56d59c2ee199dceab7306a3dc9cf7c8635807e7df8f80ab9bf2bb7f4b28bc10

SHA512
90dc31c7daae5ee6cabe51a3548498aa78b2e02c893390b862c39d6ce6443b595cc09d9639e07020fdc8c2700e6aad98ea159ab9fc540211f1567dcd1ea57035

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c85bd9a0eb3287dd9500e688d8d112d7

SHA1
6c9b9e87a54475a5d495a5fede73fd7ac023b9a9

SHA256
8884620d5ffdd0009234d6149dbc038fa8a94b720793938562414b7f34bf8341

SHA512
03e2c221fc720d8abad919c148287bed9f0444b45aab7a68909de521ef006fc3475d3860e660ef1b8ececeaed05fa5ae00248c80826e25c8310a31ff33601f1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f7233a7d770c23873ec6fded714cc268

SHA1
8e7c2de54a747a6c434c6c1acdf499880ba551f4

SHA256
b96d700605950d3446ae5448fe3b3175bb8870fba7d190f90910701dafd0eecf

SHA512
16fddc4e383a433735e881519dc4dedfcc4feffe64c3307e8887b3bf99cc1da6afaac695952d384f43ef519713c3423227a7c0c09467ddad8e55568355e6e1c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c5de69e04309c40b09b9539819207e21

SHA1
e768656c8d418bcff3b9b57eacd8f1e32370e63c

SHA256
fadbbdc070fb4f14bb6d756c0103f521d1247a60488ca1045062cc1b952b5313

SHA512
e683c1de7c0a7ea8eceb76ca3ea661880978492a00ff0eb419210e06a908b14376b189afbbd8319f5b5d6a6bc3d99d305feaeffaeda408f506413f9a88c165bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
22776bd6a5f5796b8d1e66477ff71065

SHA1
12d87ab5e45716a8c2746d71bbf0920f8e141d2c

SHA256
c247c95ad08d9fc84590d759fefe8c4449654274f2d4c27fb45eb8a539220695

SHA512
040310384abe3f19386a4a7a468388bb539503c992476eaa038683f7909f87ed791c1ce4b43262b1c3d9dfcbdd85a3517ea0339c9821c699992b9bce142bc6d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
767506802188abc6a38a5b7dcf265d0c

SHA1
dfb1dec8b892fdca159f9e923804495ed9258ade

SHA256
8dac0bd785c1fe5b7bb66eee501017d8e4681402a7a3cc3e2e81d43b98b7b09b

SHA512
9f8d03240372fea2bef1ae92a05ba7d6f4c8fa87f568f119a7aceec37fe1a0525efa6496e484bacfe74c9da920c4a9ab861cd1124ad59f31ae50bd7f435386cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b5eb6c5ec57d090f8c157dfb7cf125b7

SHA1
6c873844b0d52476b4efffc41c20b53b3ad86fe6

SHA256
26dbac7a3cfa7774165ba0d884c2af7417f9b2d84e551ae1ce30325a109d1395

SHA512
e522ade7f234d20117857c0fb20a920b791c757f01622649df10a3fd1339e380111264b56e35bec6e4f10cd7f222ffa371d7cd484944991ff333a050e994c7a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
90c36cfc967269bd3cf6c75634bd84f9

SHA1
e4cffd58f23cb88f564e41db7eb7ea1c8a22f373

SHA256
6d6f561e6d016e0ab3f5251cdd380145bebeaa3c5383045e685ad22eb1e0b9ed

SHA512
8daf8d6749b0b269d7085cb5b5bcb87274ba748e12215f86eef7c5cf06fe9ab7c32e89e71fedf458b2a4444229597ee81b6264132bb473c48940bf54d09dfd1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1397709d104747e84bf106ba5db16049

SHA1
bb224f426aaf12b1ac5bb0682e3421d698406f51

SHA256
e1dc7bdca6a0dde2043cfaeee60e1d5d2f22f5976eb63c5dd1a7b0d15a0e960d

SHA512
fc0d30d5bad1fddb604792dc463dfd021c8ea705255267e516309081ee7067d7956ec13e127ffbe2141a7a3b03d9fd8ed89d76996afc928dbbf5408889a39d5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f90b3941f07b5eebc294fd5c075609b3

SHA1
f901ac816bc4441255bcad94e7d6f70e990b82af

SHA256
03c35b0dafe44a9a7e884391bcf532a15c1af5a6c48419cc39efff8a8fa4ec13

SHA512
ed5e95203ac29431676f0cb6d0d9c28024ea60bf70a945a34875566d11e56da6b2ea694640cb2cf4259cc995234bb4696d7e99480bd28753b03bbf9d8e9954c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
246KB

MD5
9e5cf7686890872be7affd60359aa568

SHA1
24972852e59d592b9c4974054880a9cc91b8e04d

SHA256
0af6e3d84d195dcc77cc095fe460534592a2216ae5e6d407bcdf2e298701f431

SHA512
c72b1905c8321de4674fd15d659f53c350d5ba05182f5fd78de3d1fddbe3512848877b82489b6a6c97bbdbf8b2c54b167e98db98dfe99f204f37ac1a5eb5902c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
246KB

MD5
544d23d727e6f40df8f41d07f2a4438a

SHA1
c9b35714538551a1020e48151b5311fa7957b4ab

SHA256
1191104eb061819e3e636a586654369d2ffe9f140f25d332abc91d1023456461

SHA512
fedcb6bfc174e1cbd304549514aa1fc2f21111d5d120b87b1b16143f03a4957b880f3a62ac2f3b7ef90d4ae1a8942f261e18f0a3b62358ac304f371b065be0ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l1nhkm5m.v0g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SystemTemp\msedge_installer.log

Filesize
75KB

MD5
df5cb3fe41d55661b1ae1a68f9e724e2

SHA1
74d438d82ab34ef67ab8fd40690bdab57e3e7732

SHA256
acc768717fba05f01897ec5dde6e6f834c1922533fdfe7877d5f182ada46fd26

SHA512
d6421b7b352eed118d60c9717db08f169370b535da1fd2a19fa722b9c1059b79cd085128b6aa7155d3ef77c86141b2889fab0730eb2804069129b9cbdc5c6618

Download Submit
C:\Windows\SystemTemp\msedge_installer.log

Filesize
103KB

MD5
afca16206bd916872be9ff72d7cd4240

SHA1
9dc48fac6f2b5d386b864aa48f39aa96f9d60f03

SHA256
35444bea9ea7e6c2d42eec7248c365b7352f30ac2afb0a56a770fa8668faf318

SHA512
207b0a6e6ddcb7523b3f9f625d0ca341df97c6cf9e665f346fcd988f8c001935205854a0b816f6566409f56178bde2dfac7c87d6344f0767d6d0f3920bb9ef5d

Download Submit
C:\Windows\SystemTemp\msedge_installer.log

Filesize
105KB

MD5
48805c5fb9ee353c2cd0e49750adea0b

SHA1
41d11007e44675a361977685d5ef188c8c199db9

SHA256
1a591a0010d77ef0f4c7adfdfcae8e1712ec0671ebceeb54eeeb44d145313415

SHA512
8367e8b572f06ce0c5cc535cfa5589fc4f0b66ab41240fee86809a2933ddd987b6d71c3448d1d307259d45dd7cfaca3f60a6318a6427b3380187a8c3debea8a5

Download Submit
C:\Windows\SystemTemp\msedge_installer.log

Filesize
107KB

MD5
f508ad45aab886e274d5fd39c583bb35

SHA1
f0a250ac8df4874694529754582ed6e94a0a8dc1

SHA256
66a268fc1b07615a437d6b9a78f5543bddb62cfc583ac9b38d16cca46da9b33c

SHA512
7a11c974d6dc27573a20d62fddf3976da275f9b2f588c7a6ee360a341741fdd257671c35bb4562414278636a07ac84a53f547d9fff74df75141c8dc156744fe4

Download Submit
C:\Windows\SystemTemp\msedge_installer.log

Filesize
113KB

MD5
f48627421a7301befcbde7c58db6ea43

SHA1
6339c00cad9fb5173edd72c1b9d0da8a4db48778

SHA256
8c08f8880d5711a28e0670746d74925a876fecee196047c2524c928473b42f19

SHA512
5086e990df6571f10ced60b0f3065e55201c466d6374efc0f7ffc6758a2f0153c84be3d46b5169451ff42207c6ab83ac44279dede13e36886fd8b9fd956ff37e

Download Submit
memory/2472-67-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2472-70-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2472-58-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2472-54-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2472-53-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2472-106-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2472-105-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2472-68-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2472-69-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/4240-0-0x00007FFCDF863000-0x00007FFCDF865000-memory.dmp

Filesize
8KB

Download
memory/4240-17-0x00007FFCDF860000-0x00007FFCE0322000-memory.dmp

Filesize
10.8MB

Download
memory/4240-16-0x00007FFCDF860000-0x00007FFCE0322000-memory.dmp

Filesize
10.8MB

Download
memory/4240-15-0x00007FFCDF863000-0x00007FFCDF865000-memory.dmp

Filesize
8KB

Download
memory/4240-13-0x0000022A31FB0000-0x0000022A32756000-memory.dmp

Filesize
7.6MB

Download
memory/4240-12-0x00007FFCDF860000-0x00007FFCE0322000-memory.dmp

Filesize
10.8MB

Download
memory/4240-11-0x00007FFCDF860000-0x00007FFCE0322000-memory.dmp

Filesize
10.8MB

Download
memory/4240-18-0x00007FFCDF860000-0x00007FFCE0322000-memory.dmp

Filesize
10.8MB

Download
memory/4240-10-0x0000022A313D0000-0x0000022A313F2000-memory.dmp

Filesize
136KB

Download
memory/4240-9-0x00007FFCDF860000-0x00007FFCE0322000-memory.dmp

Filesize
10.8MB

Download